Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Workshop Session - December 3rd [Meeting Minutes]

  • 1.  CCMv4 Workshop Session - December 3rd [Meeting Minutes]

    Posted Dec 07, 2020 05:52:00 AM
    Hi everyone,
                          here are the minutes of our recent workshop session on Dec 3rd.


    Activities &     Worksheets:
    CCMv4 -to- AICPA TSC 2017 mapping (mapping tool)
    CCMv4 -to- ISO27001/02/17/18 mapping (mapping tool)
    CCMv4 -to- CCMv3.0.1 mapping (mapping tool)
    Implementation Guidance - IG development (worksheet)
    Control Applicability Matrices - CAMs development (worksheet)


    Agenda Items (AIs)
    1. Progress status overview for the following activities:
    • Mappings of CMv4.0 to TSC, ISO27001/02/17/18, CCMv3.0.1
    • Implementation Guidance - IG development
    • Control Applicability Matrices - CAMs development
    2. AoB

    Participants (16):
    Sandra Ackland
    Geoff Bird
    Glenn Bluff
    Vitor Dapper
    Angela Dogan
    Angell Duran
    Odutola Ekundayo
    Roberto Hernandez
    Frank Jaramillo
    John Joel
    Erik Johnson
    Nancy Kramer
    Giovanni Massard
    Vani Murthy
    Johan Olivier
    Lefteris Skoutaris (PM)



    Meeting Minutes (MMs):

    1. Progress status overview for the following activities:

    Mappings of CCMv4.0 -to- TSC, ISO27001/02/17/18, CCMv3.0.1

    • The CCMv4.0 -to- AICPA TSC 2017 mapping is complete (Congrats to the teams!),
    • The CCMv4.0 -to- CCMv3.0.1 mapping is complete (Congrats to the teams!),
    • The CCMv4.0 -to- ISO27001/02/17/18 mapping is progressing very well, 15/17 domain mappings are delivered, with 2 being very close to completion (i.e., input is provided by both reviewers and waiting for final consolidation),
    • During the meeting professionals discussed the resolution of comments provided during the mapping review and validation phase,
    • Professionals are kindly asked to consult the "Status Comments" column J on the mapping of V4 to the ISOs for pending actions (AP1),
    • The group carried on the discussion with regards to the mapping methodology approach that should be followed by professionals when comparing two requirements. The debate focused on whether the comparison should be based on a grammatical analysis of the requirements or that professionals should interpret holistically the compared requirements based on own experience. The group decided that mappings should be carried out following the former approach. Sandra offered to draft a paragraph that would describe such a methodology approach (AP2),


    Implementation Guidance (IG) development (Deadline 17/12/20)

    • IG development is progressing well, 7 domains and underlying controls had their guidance developed and reviewed (by 1st & 2nd reviewers),
    • 9 domains are in good progress (again here engaging 2 professionals, for development and validation review) and 1 has not yet started,
    • Lefteris kindly invited Nancy (GRC, SEF) and Vani (LOG, IAM) to consolidate their inputs into a final IG version for the aforementioned domains,
    • Lefteris agreed with Erik to schedule a meeting for the development of IG for STA-11 and STA-16,
    • Agni offered to take on the development of IG for the TVM domain (Brian offered to help out as well),
    • Geoff offered to take on the 2nd review of the IG of the CCC domain,
    • Professionals are kindly asked to consult the "Status Comments" column H for any pending assignments (AP3).


    Control Applicability Matrices (CAMs) development (Deadline 11/12/20)

    • CAMs development is progressing well, 10 domains have been mapped to the controls applicability matrices, and 7 domains are very close to delivery and waiting for final consolidation,
    • Swapped Erik with Nancy on the STA CAMs mapping,
    • Lefteris to schedule a call with Claus and Chirag to discuss the IAM CAMs mapping (AP4),
    • Rajeev has helped to the development of the definitions of the underlying elements of the "Architectural relevance" column (see "Guidance/Terms tab). Professionals are kindly invited to review the definitions (rows 9-14) and comment with any updates. Special focus to be given at the "compute" element current definition and if it needs to be reviewed (AP5),
    • Professionals are kindly asked to consult the "Status Comments" column H for any pending assignments (AP6).

    2. AoB

    • Next CCMv4 mappings workshop is scheduled for December 10th, 6 pm EEST (8 am PST/ 5 pm CET/ 11 am EST).




    Action Points (APs):

    • AP1/AP3/AP6: Professionals are kindly asked to consult the "Status Comments" column per activity for any pending assignments.
    • AP2: Sandra offered to produce a draft on the mapping methodology that was discussed and agreed during the meeting, and suggested to be followed in future mappings.
    • AP4: Lefteris to schedule a call with Claus and Chirag to discuss the IAM CAMs mapping.
    • AP5: Professionals are kindly invited to review the definitions of the underlying elements of the "Architectural relevance" column (see "Guidance/Terms tab and rows 9-14). Special focus to be given at the "Compute" section and its current definition.

    Please let me know if anything important is missed above. 

    Thank you all for your attendance and fruitful discussions.

    Best regards,

    Lefteris



    Progress status snapshots of all CCMv4 exercises (up to 7/12/20)

    CCMv4-to-TSC2017 (Delivered)
    CCMv4-to-CCMv3.0.1 (Delivered)

    CCMv4-to-ISO27001/02/17/18 (In Progress)


    Implementation Guidance (IG) (In Progress)


    Control Applicability Matrices (CAMs) (In Progress)



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------